Can CGS Detect Apache Log4j2 Remote Code Execution Vulnerabilities?

Apache Log4j2 is a widely used Java-based logging utility. If you are an Apache Log4j2 user, check your system and implement timely security hardening.

Reference: https://logging.apache.org/log4j/2.x/security.html

• Severity: important (Severity levels: low, moderate, important, and critical)
• Affected versions: all versions later than 2.0-beat9 and earlier than 2.16.0, excluding 2.12.2
• Upgrade affected applications and components, such as spring-boot-starter-log4j2, Apache Solr, Apache Flink, and Apache Druid.
• Secure versions: Apache Log4j 1.x and Apache Log4j 2.16.0
• Vulnerability handling

  This vulnerability has been fixed in the official version. Upgrade all applications related to Apache Log4j2 to a secure version as soon as possible. Link: https://logging.apache.org/log4j/2.x/download.html

  Java 8 (or later) users should upgrade to release 2.16.0.

  Java 7 users should upgrade to release 2.12.2.

  Huawei Cloud Container Guard Service (CGS) can scan private images for the vulnerability. The basic edition is free of charge. Log in to the CGS console, choose Image Security, click the Image Vulnerabilities tab, and click the Private Image Vulnerabilities tab. For details, see Managing Private Image Vulnerabilities.

  

  • If the upgrade cannot be performed in a timely manner, run the following command to remove the JndiLookup class from the classpath, and restart the service.

    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

  • Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.